add_comment_to_pending_review runs the GraphQL query on a missing required argument instead of validating it

[gustavo-sec]

Describe the bug

add_comment_to_pending_review decodes its arguments with mapstructure.WeakDecode and never checks the required ones. An omitted required argument (e.g. owner) is left as the zero value and sent to the GraphQL API, which then fails downstream with a confusing message instead of a clear "this argument is required". The other pull request tools (pull_request_read, etc.) validate with RequiredParam/RequiredInt.

Affected version

Version: v1.3.0
Commit: 34227037fc48771baea9af7163e28cb6556ef287
Build Date: 2026-06-11T14:16:55Z

Steps to reproduce the behavior

1. Call add_comment_to_pending_review with owner omitted, e.g. { "repo": "gated-probe", "pullNumber": 1, "path": "f.go", "body": "x", "subjectType": "LINE" }.
2. View the output.
3. The server runs the query with an empty owner and returns:

   failed to get latest review for current user: Could not resolve to a Repository with the name '/gated-probe'.
   

   Nothing indicates that owner was the missing required argument.

Expected vs actual behavior

Expected: missing required parameter: owner (consistent with the other PR tools), before any API call.

Actual: the handler runs on the incomplete input and returns an unrelated downstream repository-resolution error.

Logs

failed to get latest review for current user: Could not resolve to a Repository with the name '/gated-probe'.

Note: the same WeakDecode-without-validation pattern also exists in copilot.go and discussions.go — happy to follow up separately.